Commit 6541e1b2 authored by YJ's avatar YJ Committed by Amaury Martiny
Browse files

#516 Set CSP in Meta tag (#517)

* feat: set csp meta in index.html for prod

* fix grumbles
parent f2cb900f
Pipeline #36935 passed with stages
in 10 minutes and 41 seconds
......@@ -37,6 +37,9 @@ function setupRequestListeners (fetherApp) {
// Content Security Policy (CSP)
// Note: `onHeadersReceived` will not be called in prod, because we use the
// file:// protocol:
// Instead, the CSP are the ones in the meta tag inside index.html
session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
`Configuring Content-Security-Policy for environment ${
......@@ -4,8 +4,25 @@
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- CSP defined in packages/fether-electron/src/main/app/methods/setupRequestListeners.js -->
<meta name="theme-color" content="#000000">
<!-- These CSP are for prod. For dev, CSP are set inside @electron-app -->
<meta http-equiv="Content-Security-Policy" content="
child-src 'none';
connect-src https: ws:;
default-src 'none';
font-src 'none';
form-action 'none';
frame-src 'none';
img-src 'self' 'unsafe-inline' file: data: blob: https:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src 'none';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline' http:;
worker-src blob:;
manifest.json provides metadata used when your web app is added to the
homescreen on Android. See
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment